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I.  INTRODUCTION 


In  BRL  TR-02444,  "The  Worst-Case  Mathematical  Theory  of  Safe-  Arming  ,"1 
various  simple  strategies  were  analyzed  to  show  whioh  ones  are  suitable  for 
use  in  safe-arm  devices.  The  most  praotioal  strategies  seem  to  be  the  ones 
that  use  simple  ordering.  No  matter  what  the  overall  system  strategy,  it  has 
been  proposed  that  the  number  of  safe-arm  inputs  (or  variables)  needed  could 
be  reduced  by  making  some  variables  more  sensitive  than  others.  If  some 
accident  should  occur,  properly  ohosen  sensitivities  would  make  the  safe-arm 
variables  function  in  a  safe  order. 


II.  DEFINING  SENSITIVITY 

It  is  necessary  to  first  adopt  a  definition  of  sensitivity  that  is 
relevant  to  the  safe/ arm  (s/a)  strategy.  Sensitivity  has  to  be  related  to  the 
system  strategy  used  by  an  s/a  device.  Consider  exactly  how  sensitivity  is 
supposed  to  affeot  a  simply  ordered  safe-arm  device.  In  the  Simple  Ordering 
(S3)  strategy,  the  only  factor  that  determines  a  system  event  (s/a  accident) 
is  the  sequential  order  of  the  system  binary  variables.  This  order  must  be 
altered  to  change  the  probability  of  a  system  event. 

Sensitivity  must  be  defined  in  terms  of  order.  That  is,  more  sensitive 
variables  will  respond  to  given  levels  of  stress  sooner  than  less  sensitive 
variables. 

Let:  {x,y,z,  .  .  .!  be  a  set  of  Independent  s/a  input  variables 

with  sensitivities  X,  Y,  ....  and 

let:  P[x,y]  be  the  probability  of  the  event  sequence  ”x  followed 

by  y  (not  necessarily  in  immediate  suooesslon)." 

Then,  it  is  useful  if  the  sensitivity  of  the  variable  x,  WITH  RESPECT  TO 

the  variable  y,  is  defined  by: 

P[x,y]  =  X/ (X+Y) .  (1) 

If  q  is  an  input  variable  with  sensitivity  DEFINED  as  unity,  then: 

Ptq.x]  »  [1/(UX)3  *  1/(X+1)  (2) 

and 

PCx.q]  =  CX/(X^1 ) 3 ,  (3) 

so  that 

P[q,x]  ♦  PCx.q]  s  C 1  / ( X-*>  1)3  ♦  [X/(X+1)3  =  1.  (4) 


1  Silvia,  Denis  A.,  "The  Worst-Case  Mathematical  Theory  of  Safe-Arming." 
Ballistic  Research  Laboratory  Technical  Report  #TR-02444,  May  1984. 
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In  general 


P[x,y]  +  P[y,x] 


(5) 


For  a  system  of  three  variables: 

Ptx,y,z]  =  [X/(X>Y+Z) ]  [Y/(Y+Z) ]  tZ/Z]. 
*  [X/(X+Y+Z)]  [Y/(Y+Z) ] . 


(6) 


The  general  definition  of  system  sensitivity  for  a  simply  ordered  system 
of  n  variables  can  be  readily  constructed: 

Let  Ixl ,x2 ,x3 , . . . ,xn}  be  a  set  of  n  s/a  input  variables  with  individual 
sensitivity  weights  XI,  X2,  ...,Xn,  respectively. 


Then: 

n  n 

Ptxl ,x2, . . .  ,xn]  a  [X1/(  2  Xi)]...[Xh/(  2  Xi)] . . .[Xn/Xn] .  (7) 

ial  iah 

The  function  defined  in  equation  (7)  is  a  physically  reasonable 
definition  of  sensitivity  for  practical  problems,  since  a  stress  which  is 
increasing  with  time  will  force  the  most  stress  sensitive  variables  to  fail 
first.  In  the  remaining  'sections  the  definition  of  sensitivity  in  terms  of 
order  will  be  used  to  examine  how  sensitivity  techniques  can  enhance  S3 
safe-arm  strategies. 


III.  FITTING  ORDERED  SENSITIVITY  INTO  THE  S3  STRATEGIES 

Sensitivity  does  not  change  which  sequences  lead  to  a  system  event,  but 
it  does  change  the  probability  that  any  given  sequence  will  occur  due  to  a 
random  set  of  events.  The  fact  that  different  sequences  have  different 
probabilities  of  occurrence  means  that  each  of  these  sequences  must  be 
individually  specified  and  evaluated.  As  defined  in  reference  1,  an  S3CI/J] 
strategy  is  a  simply  ordered  safe/arm  system  strategy  with  J  independent 
variables  of  which  I  or  more  must  function  in  correct  order  to  generate  a 
safe/arm  signal  to  detonate  the  warhead.  The  S3CN/N]  strategy  does  not  pose 
any  problem,  because  there  is  only  one  sequence  which  can  lead  to  a  system 
event  in  this  strategy. 

Let:  S  s  P{system  event}. 

Let:  (x,y,  .  .  .}  be  the  solution  sequence. 

Then: 

S  s  [X/(X+Y+  .  .  .)]  [Y/CY+Z+  ...)]...  (8) 

A  number  of  sensitivity  strategies  have  been  solved  in  closed  form  for 
the  S3[N/N]  systems.  They  are  discussed  in  the  next  section. 


The  S3£(N-1)/N]  strategy  is  much  mo re  complicated.  As  shown  in  Reference 
1,  the  solution  sequences  fall  into  three  classes:  I,  II  and  III.  The  total 

2 

number  of  solutions  is  given  by  N  -2N+2.  This  means  that  for  a  system  of  12 
variables,  122  different  sequences  lead  to  a  system  event.  The  difference 
between  the  methodology  of  Reference  1  and  that  needed  for  variables  of 
differing  sensitivity  is  that  when  sensitivity  strategies  are  used  every 
sequence  contributes  a  different  weight  to  the  system  function  probability  and 
must  therefore  be  individually  evaluated. 

Class  I  sequences  are  specified  by  recursively  using  the  Class  II  and 
Class  III  formulae.  The  sequences  in  Classes  II  and  III  can  be  specified 
readily.  The  set  of  Class  II  sequences  can  be  written  as  the  rows  of  the 
matrix: 


2  13  4  5 
2  3  14  5 


2  3  4  .. 


N 

N 


N  1. 


where  the  digits  represent  the  order  of  the  variables. 
The  set  of  Class  III  sequences  can  be  written: 

3  1  2  4  5  ...  N 

4  1  2  3  5  ...  N 


N  1  2  3  4  .  .  (N-1 ) 

A  computer  program  for  the  S3[(N-1)/N]  strategy  has  been  written  for  the 
IBM  PC  microcomputer.  The  program  is  listed  in  the  Appendix. 


IV.  RESULTS  FOR  S3CN/M]  STRATEGIES 

This  section  discusses  S3CN/N]  systems.  The  order  sensitivity  concept 
can  be  added  to  the  equation  for  S3CM/N]  systems  to  give  closed  form  equations 
for  several  useful  sensitivity  strategies.  The  S3[(N-1)/N]  strategy  is  more 
complex  and  the  microcomputer  program  listed  in  the  Appendix  will  be  used  In  the 
next  section  to  explore  numerically  the  effect  of  sensitivity  on  S3[(N-1)/N] 
systems . 

There  are  two  variables  related  to  sensitivity  that  can  be  manipulated: 
range  and  distribution.  The  range  is  set  by  the  highest  and  lowest  (generally 
unity)  sensitivity  values  in  the  strategy,  while  distribution  determines  how 
the  range  is  alloted  among  the  system  variables.  A  strategy  without 
sensitivity  structuring  is  treated  as  a  special  case  where  all  the  variables 
have  the  same  probability  weight,  i.e.  a  level  distribution.  It  does  not 
matter  what  sensitivity  weight  is  used  in  a  level  sensitivity  strategy  since 
the  same  answer  is  obtained  no  matter  what  weight  is  chosen. 


This  is  easily  shown: 


Let:  k,...k,  be  a  level  distribution  of  N  variables  and  s  be  the 
probability  of  a  system  failure. 

Using  Equation  7: 

S  3  [k/Nk]  [k/(N-1)k]  .  .  .  s  i/Nt,  no  matter  what  value  k  assumes.  (9) 

A  simple  linear  strategy  is  one  in  which  the  sensitivity  weight  starts  at 
unity  and  increases  by  a  constant  number  of  units  with  each , succeeding 
variable.  S3CN/N]  systems  using  this  sensitivity  strategy  can  also  be  written 
in  closed  form: 


Let:  1,  2,  3,  .  .  .  be  a  simple  linear  strategy  in  N  variables. 

i 

Then  the  weight  of  each  variable  W.  ,  is  L  and: 

1  i 


■kit1]  [*'tk]  •  •  •  ["'il*1]  * «' 


r 2(N  ♦  (N  -  1))  1 

1  (1)  (N  ♦  N)  1 

L  2  j 

L  2  J 

.N 


.N 


M2  M2 

N!  T2NH7H!  =  r^TTJT 


PROBABILITY 

WEIGHTS 


1 

2 


3 

5 

10 


(any) 

M 
1,2 
1,1,1 
1,2,3 
1,1, 1,1,1 
1,2, 3, 4, 5 
1,1, ...,1 
1,2,. ..,10 


1.0 

.5 

.3 

1.67E-1 
6.7E-2 
8.3E-3 
1 .0E-3 
2.8E-7 
1 .5E-9 


(10) 


Table  1.  Level  Vs.  Simple  Linear  Strategies. 

P[ SYSTEM  EVENT] 


It  is  clear  that  the  linear  sensitivity  strategy  is  superior  to  the  level 
one,  especially  for  larger  values  of  N.  This  is  deceptive,  however,  because 
the  larger  values  of  N  have  a  larger  range  of  variable  sensitivity  weights. 

If  the  range  of  the  linear  strategies  of  Table  1  is  equalized,  the  results  are 
more  representative.  The  equalized  linear  strategy  can  be  written  in  closed 
form  also: 


Let:  1,  2,  W  be  a  linear  distribution  of  N  variables  and 
maximum  sensitivity,  W. 


Let:  A(i)  =  1  ♦  [ (i-1 )(W-1 ) )  be  the  ith  term  in  an  equalized 
linear  distribution  corresponding  to  the  1th  term  in  the  linear 
distribution  above. 

Then  the  equalized  system  event  probability  can  be  written: 

N  N 

S  »  £  U(J)/[  A(k)]}.  (11) 

J»1  k*j 


Table  2.  Equalized  Linear  Stategies. 

PROBABILITY 

N 

WEIGHTS 

P[ SYSTEM  EVENT] 

1 

10 

1.0 

2 

1,10 

9. IE-2 

3 

1,5.5,10 

2. IE-2 

4 

1,4,7,10 

3.6E-3 

5 

1,3.25,5.5,7.75,10 

4.6E-4 

6 

1,2. 8, 4. 6,  .  .  .,10 

4.9E-5 

7 

1,2. 5, 4.0,  .  .  .,10 

4.4E-6 

8 

1,2.28,3.56,  .  .  .,10 

3.5E-7 

9 

1,2.125,3.25,  .  .  .,10 

2.4E-8 

10 

1  ;<?;••• 

1 .5E-9 

A  summary  comparison  of  the  three  kinds  of  sensitivity  strategy  shown  in 
Tables  1  and  2  is  given  in  Table  3: 


Table  3.  Comparison  of  Level  and  Linear  Strategies. 


SIMPLE 

EQUALIZED 

N 

LEVEL 

LINEAR 

LINEAR 

1 

1.0 

1.0 

1 .0 

2 

0.5 

3.3E-1 

9. IE-2 

3 

1.67E-1 

6.7E-2 

2. IE-2 

4 

4.2E-2 

9.5E-3 

3.6E-3 

5 

8.3E-3 

1 .0E-3 

4.6E-4 

6 

1.4E-3 

9.6E-5 

4.9E-5 

7 

2.0E-4 

7.4E-6 

4.4E-6 

8 

2.5E-5 

4.9E-7 

3.5E-7 

9 

2.8E-6 

2.9E-8 

2.4E-8 

10 

2.8E-7 

1.5E-9 

1 .5E-9 

Examination  of  Table  3  shows  that  the  equalized  linear  strategy  can 
achieve  a  system  event  probability  of  less  than  1 .OE-6  with  only  eight 
variables  -  two  less  than  a  level  strategy.  Even  fewer  variables  are  needed 
with  a  "weak  link"  sensitivity  strategy.  The  weak  link  approach  is  commonly 
used  in  safety  design  where  a  chain  of  events  is  forced  to  fail  at  a  pre¬ 
determined  place  by  making  one  link  in  the  chain  much  more  likely  to  fail  than 
the  other  links.  The  methodology  developed  in  this  report  is  ideal  for 


examining  the  weak  link  strategy.  One  of  the  first  questions  is,  "Where  do  we 
place  the  weak  link?"  As  before,  let  the  range  be  equalized  to  ten.  Then 
Tables  4a,  4b,  4c  and  4d  show  the  effect  of  link  location  for  several 
S3CN/N]  systems: 


Table  4a.  Weak-Link  Strategies  for  Several  Values  of  N.  N=2 


LINK 

N  STRATEGY 


PC  SYSTEM  EVENT] 


2  10  1 
1  10 


9. IE-1 
9 . 1 E-2 


Table  4b.  Weak-Link  Strategies  for  Several  Values  of  N.  N=3 


i 


I 

I 


I 


LINK 

N  STRATEGY  PC  SYSTEM  EVENT] 


3 

10 

1 

1 

4.2E-1 

1 

10 

1 

7.6E-2 

1 

1 

10 

7.6E-3 

Table 

4c. 

Weak-Link 

Strategies 

for  Several  Values  of  N.  N= 

LINK 

N 

STRATEGY 

PC  SYSTEM  EVENT] 

5 

10 

1 

1  1 

1 

3.0E-2 

1 

10 

1  1 

1 

9.2E-3 

1 

1 

10  1 

1 

2.3E-3 

1 

1 

1  10 

1 

4.2E-4 

1 

1 

1  1 

10 

4.2E-5 

Table  4d.  Weak-Link  Strategies  for  Several  Values  of  N.  N=10 
LINK 

N  STRATEGY  PC  SYSTEM  EVENT] 


0 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 .4E-6 

1 

10 

1 

1 

1 

1 

1 

1 

1 

1 

7.2E-7 

1 

1 

10 

1 

1 

1 

1 

1 

1 

1 

3.4E-7 

1 

1 

1 

10 

1 

1 

1 

1 

1 

1 

1 .5E-7 

1 

1 

1 

1 

10 

1 

1 

1 

1 

1 

6.0E-8 

1 

1 

1 

1 

1 

10 

1 

1 

1 

1 

2. IE-8 

1 

1 

1 

1 

1 

1 

10 

1 

1 

1 

6.6E-9 

1 

1 

1 

1 

1 

1 

1 

10 

1 

1 

1 .6E-9 

1 

1 

1 

1 

1 

1 

1 

1 

10 

1 

3.0E-10 

1 

1 

1 

1 

1 

1 

1 

1 

1 

10 

3.0E-11 

12 


(  t  .1  tfu.  ^  d 


i  #*».  Si. 


It  is  obvious  fron  Tables  4  that  the  weak  link  strategy  is  superior  to 
the  linear  one  and  that  the  best  location  for  a  weak  link  is  at  the  end.  It 
is  not  clear,  however,  whether  another  strategy  might  be  better.  Is  one  weak 
link  enough?  Two?  It  is  likely  that  the  best  number  of  links  depends  on  the 
number  of  variables.  Equation  11  can  modified  to  include  this  strategy  also: 

Let:  1,  1 ,...,W,...,W  be  a  weak  link  strategy  of  N  variables 
with  k  links  of  weight  W. 

Then: 

S  =  (kW)!/{[kW+(N-k)]!k!)  (12) 

Tables  5  explore  this  equation  for  different  numbers  of  links  of  weight 


Table  5a.  Optimal  Weak-Link  Strategies  for  Several  Values  of  N.  N  =  2 


LINK 
STRATEGY 
1  10 
10  10 


PC  SYSTEM  EVENT] 
9. IE-2 
1.0 


Table  5b.  Optimal  Weak-Link  Strategies  for  Several  Values  of  N.  N  *  3 


LINK 

STRATEGY 

1  1  10 
1  10  10 
10  10  ^0 


P[ SYSTEM  EVENT] 

7.6E-3 

2.4E-2 

8.3E-1 


Table  5c.  Optimal  Weak-Link  Strategies  for  Several  Values  of  N.  N  s  5 


LINK 

STRATEGY 

1  1  1  1  10 

1  1  1  10  10 

1  1  10  10  10 

1  10  10  10  10 

10  10  10  10  10 


P[ SYSTEM  EVENT] 

4.2E-5 

4.7E-5 

1.7E-4 

1.0E-3 

8.3E-3 


Table  5d.  Optimal  Weak-Link  Strategies  for  Several  Values  of  N.  Ns  10 


N 


LINK 

STRATEGY 


P[ SYSTEM  EVENT] 


1 

1 

1 

1 

1 

1 

1 

1 

1 

10 

3.0E-11 

1 

1 

1 

1 

1 

1 

1 

1 

10 

10 

4.0E-12 

1 

1 

1 

1 

1 

1 

1 

10 

10 

10 

3.2E-12 

1 

1 

1 

1 

1 

1 

10 

10 

10 

10 

6.2E-12 

1 

1 

1 

1 

10 

10 

10 

10 

10 

10 

9. IE-11 

1 

1 

1 

10 

10 

10 

10 

10 

10 

10 

5.3E-10 

1 

1 

10 

10 

10 

10 

10 

10 

10 

10 

3.7E-9 

1 

10 

10 

10 

10 

10 

10 

10 

10 

10 

3.0E-8 

10 

10 

10 

10 

10 

10 

10 

10 

10 

10 

2.3E-5 

It  is  clear  from  Tables  5a-5d  that  the  number  of  variables  does  determine 
the  optimum  number  of  weak  links.  Table  6  shows  the  optimum  number  of  links 
for  up  to  10  variables. 


Table  6.  Summary  of  Optimal  Strategies. 


—  —  - 

OPTIMUM 

N 

NUMBER 

Pt SYSTEM  EVENT] 

2 

1 

9. IE-2 

3 

1 

7.6E-3 

4 

1 

5.8E-4 

5 

1 

4.2E-5 

6 

2 

2.0E-6 

7 

2 

7.8E-8 

8 

2 

3.0E-9 

9 

2 

1. IE-10 

10 

3 

3.2E-12 

As  Table  6  shows,  an  optimal  weak  link  strategy  is  superior  to  any  level 
or  linear  strategy  for  the  same  number  of  variables.  The  optimal  weak  link 
strategy  of  seven  variables  is  even  superior  to  a  level  strategy  of  ten 
variables.  The  strategy  of  seven  variables  with  two  weak  links  is 
significantly  better  than  the  1 /million  requirement,  so  it  is  of  interest  to 
determine  how  much  the  sensitivity  range  can  be  reduced  before  the  1 .0E-6 
limit  is  reached. 


Table  7.  S3CN/N]  STRATEGY  REQUIREMENTS  TO  MEET  A  1 /MILLION  SAFETY  STANDARD 


WEAK  LINK 

NUMBER 

NUMBER 

PROBABILITY 

SENSITIVITY 

OF 

OF 

OF 

& 

WEIGHT 

VARIABLES 

WEAK-LINKS 

SYSTEM  EVENT 

1 

1 

10 

3 

2.8E-7 

a*] 

2 

9 

3 

2.5E-7 

1! 

v 

3 

8 

3 

6.9E-7 

4 

8 

3 

2.2E-7 

ft 

5 

8 

2 

8  •  6E— 8 

r> 

6 

7 

2 

6.7E-7 

•  . 

7 

7 

2 

3.6E-7 

8 

7 

2 

2.0E-7 

9 

7 

2 

1 .2E-7 

1 

10 

7 

2 

7.8E-8 

i 

As  Table 

7  shows,  we  can  use  an  optimal  weak  link 

strategy  with  seven 

variables  and 

a  maximum  sensitivity 

level  of  only  six 

to  meet  the  1 /million 

4 


requirement.  The  lower  sensitivity  in  an  optimal  weak  link  strategy  has  other 
advantages,  such  as  lower  probability  that  the  safe/arm  will  be  inactivated  by 
sensitive  variables  that  function  prematurely.  This  results  in  a  "dud" 
munition. 


V.  RESULTS  FOR  S3C(N-1)/N]  STRATEGIES 

S3C (N-t )/N]  system  strategies  are  more  complicated  than  S3CN/N] 

Strategies,  but  they  offer  lower  dud  rates.  The  microcomputer  program  listed  in 
the  Appendix.,  has  been  used  to  explore  the  effect  of  sensitivity  strategies  on 
S3[ ( N-1 ) /N]  systems . 

Table  8  shows  a  comparison  of  level,  simple  linear  and  equalized  linear 
strategies  for  1  to  12  system  variables: 

Table  8.  Comparison  of  Level  and  Linear  Strategies. 


SIMPLE 

EQUALIZED 

N 

LEVEL 

LINEAR 

LINEAR 

1 

1.0E0 

1.0E0 

1.0E0 

2 

1.0  E0 

1.0E0 

1.0E0 

3 

8.3E-1 

6.7E-1 

4.9E-1 

4 

4.2E-1 

2.0E-1 

1.3E-1 

5 

1 .45-1 

3.8E-2 

2.4E-2 

6 

3.6E-2 

5.4E-3 

3.5E-3 

7 

7.3E-3 

6.0E-4 

4.2E-4 

8 

1 .2E-3 

5.4E-5 

4.2E-5 

9 

1 .8E-4 

4.2E-6 

3.7E-6 

10 

2.3E-5 

2.8E-7 

2.8E-7 

11 

2.5E-6 

1 .7E-8 

1 .9E-8 

12 

2.5E-7 

8.8E-10 

1 .2E-9 

feres 


fat  *-<  m,  ■- 
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Once  again  the  linear  sensitivity  strategies  require  a  smaller  number  of 
variables  than  level  ones  for  a  given  level  of  safety ,  so  we  can  follow  the 
pattern  of  the  previous  section  and  examine  weak-link  sensitivity  strategies. 
Tables  9  show  the  event  probabilities  for  several  S3C(N-1)/N]  systems  using  a 
single  weak-link  sensitivity  strategy. 


Table  9a.  Weak-Link  Strategies  for  Selected  Values  of  N.  N  s  3 


STRATEGY 

10  1  1 
1  10  1 
1  1  10 


PC SYSTEM  EVENT] 

9.9E-1 

9.2E-1 

5.8E-1 


Table  9b.  Weak-Link  Strategies  for  Selected  Values  of  N.  N  =  5 


STRATEGY 

10  1  1  1  1 

1  10  1  1  1 

1  1  10  1  1 

1  1  1  10  1 

1  1  1  1  10 


PC  SYSTEM  EVENT] 

3.4E-1 
1 .8E-1 
9.4E-2 
5.5E-2 
4.3E-2 


Table  9c.  Weak-Link  Strategies  for  Selected  Values  of  N.  Ns  10 


LINK 

STRATEGY 

10  1  1  1  1  1  1  1  1  1 


PC  SYSTEM  EVENT] 
1.0E-4 


10 

1 

1 

1 

1 

1 

1 

1 

1 

5.5E-5 

1 

10 

1 

1 

1 

1 

1 

1 

1 

2.9E-5 

1 

1 

10 

1 

1 

1 

1 

1 

1 

1 .5E-5 

1 

1 

1 

10 

1 

1 

1 

1 

1 

8.2E-6 

1 

1 

1 

1 

10 

1 

1 

1 

1 

4.9E-6 

1 

1 

1 

1 

1 

10 

1 

1 

1 

3.5E-6 

1 

1 

1 

1 

1 

1 

10 

1 

1 

3.0E-6 

1 

1 

1 

1 

1 

1 

1 

10 

1 

2.8E-6 

1 

1 

1 

1 

1 

1 

1 

1 

10 

2.8E-6 

As  in  the  previous  section,  a  weak-link  is  most  effective  in  the  last 
position  of  the  variable  sequence.  Table  10  lists  the  system  event 
probabilities  for  up  to  twelve  variables  with  a  sensitivity  strategy  using  a 
single  weak-link  of-  weight  10  in  the  last  variable  position. 
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Table  10.  Single  Week-Link  Strategies 


N 

1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 


P[ SYSTEM  EVENT] 

1.0E0 

1.0E0 

5.8E-1 

1 .8E-1 

4.3E-2 

8.5E-3 

1.4E-3 

2.0E-4 

2.5E-5 

2.8E-6 

2.8E-7 

2.5E-8 


In  Seotion  IV  it  was  found  that  with  larger  sets  of  variables,  system 
safety  is  improved  with  more  than  a  single  weak  link.  Table  11  lists  the 
number  of  weak  links  and  corresponding  system  event  probabilities  for  systems 
up  to  12  variables. 


Table  11.  Optimal  Week-Link  Strategies. 


OPTIMUM 

NUMBER  OP 

N 

LINKS 

P[ SYSTEM  EVENT] 

3 

2 

5.7E-1 

4 

2 

5.5E-2 

5 

2 

4. OB-3 

6 

2 

2.5E-4 

7 

2 

1 .4E-5 

8 

2 

7.7E-7 

9 

3 

3.3E-8 

10 

3 

1.1E-9 

11 

3 

3.6B-11 

12 

3 

1. IE-12 

Table  11  shows  that  an  optimal  weak-link  strategy  with  sensitivity  weight 
ten  requires  only  eight  variables  to  provide  protection  at  the  1.0E-6  level. 
This  compares  favorably  with  the  12  variables  needed  to  meet  the  same 
criterion  with  a  level  strategy. 


Table  12.  S3t(N-1)/N]  STRATEGY  REQUIREMENTS  TO  MEET 

A  1 /MILLION  SAFETY  STANDARD. 


F 

WEAK-LINK 

NUMBER 

NUMBER 

PROBABILITY 

:! 

SENSITIVITY 

OF 

OF 

OF 

! 

WEIGHT 

VARIABLES 

WEAK-LINKS 

SYSTEM  EVENT 

1 

12 

N/A 

2.5E-7 

% 

2 

11 

4 

1 .9E-7 

S 

3 

10 

3 

4.4E-7 

% 

4 

10 

3 

1 .2E-7 

a 

w 

5 

9 

3 

7.3E-7 

i 

6 

9 

3 

3.3E-7 

1 

7 

9 

3 

1 .7E-7 

F 

8 

9 

3 

9.2E-8 

9 

9 

3 

5.3E-8 

10 

8 

•  2 

7.7E-7 

Table  12  shows  how  the  sensitivity  weight  of  the  weak  link  variable(s) 
can  affect  the  number  of  system  variables  needed  to  meet  the  1 /million  safety 
standard. 


VI.  CONCLUSIONS 

Order  Sensitivity  is  a  powerful  concept  that  extends  the  Worst-Case 
safe /am  hypothesis  to  the  analysis  of  more  complicated  and  realistic  safe/arm 
designs. 

Order  Sensitivity  strategies  can  be  incorporated  into  simply  ordered 
safe/arm  devices  with  fruitful  results. 

The  Optimal  Weak-Link  sensitivity  strategy  is  the  best  of  those  tested 
for  both  S3CN/N]  and  S3C(N-1)/N]  systems. 

Using  the  Optimal  Weak-Link  sensitivity  strategy  the  number  of  variables 
needed  to  meet  or  better  the  1 .OE-6  safety  standard  can  be  reduced  from  10  to 
7  for  an  S3CN/N]  system  and  from  12  to  8  for  an  S3t(N-1)/N]  one. 

The  Ordered  Sensitivity  approach  could  be  applied  to  other  safe/arm 
strategies  and.  like  the  worst-case  hypothesis  for  safe/arming,  should  be 
useful  for  general  use  in  safety  analysis  and  design.  The  discovery  that  the 
optimal  number  of  weak  links  is  dependent  on  the  number  of  variables  in  a 
simply  ordered  safety  system  may  have  great  significance  in  the  design  of 
safety. 
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APPENDIX 

A  MICROCOMPUTER  PROGRAM  TO  COMPUTE  SYSTEM  EVENT  PROBABILITIES  FOR 
(N-D/N  SAFE-ARM  DEVICES  USING  SIMPLE  ORDERING  +  SENSITIVITY  STRATEGIES 
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APPENDIX 

A  MICROCOMPUTER  PROGRAM  TO  COMPUTE  SYSTEM  EVENT  PROBABILITIES  FOR 
(N-D/N  SAFE-ARM  DEVICES  USING  SIMPLE  ORDERING  ♦  SENSITIVITY  STRATEGIES. 

The  S3t( N-D/N]  safe-arm  system  strategy  can  be  readily  solved  in  closed 
form  if  the  system  variables  have  a  level  sensitivity  distribution,  but  if  the 
system  variables  are  not  all  of  the  same  sensitivity  then  each  sequence 
leading  to  a  system  event  must  be  evaluated  individually.  The  method  used  in 
this  report  is  the  same  one  described  in  Reference  (D,  Appendix  B: 

The  set  of  solutions  that  lead  to  a  system  event  is  partitioned  into 
three  classes: 

Class  I  consists  of  sequences  in  which  the  variable  that  is 
supposed  to  function  first  does  function  first. 

Class  II  consists  of  sequences  in  whioh  the  variable  that  is 
supposed  to  function  second  functions  first. 

Class  III  consists  of  sequences  in  which  one  of  the  variables 
other  than  those  that  are  supposed  to  function  first  or  second 
functions  first. 

Class  I  sequences  are  enumerated  indirectly.  If  variable  #1  does 
function  first,  then  no  out-of-order  has  occurred.  This  means  that  the 
remaining  N-t  variables  are  still  permitted  one  out-of-order  variable.  But 
this  is  precisely  the  definition  of  an  S3t (N-2)/(N-D]  strategy  in  the 
variables  2  to  N.  The  Class  I  sequences  can  thus  be  found  recursively: 

Step  J...  Variable  #1  is  assumed  to  function  first. 

Step  2.  Variables  2-N  are  re-labeled  1’,  ...,  (N-D', 

respectively. 

Step  3.  Class  II  and  III  sequences,  are  enumerated  for  the 
strategy  formed  by  variables  1'  to  (N-D'. 

Step  4.  Steps  1  to  4  are  repeated  for  the  primed  system 
(variable  #1  is  replaced  by  variable  #1'). 

Sequences  in  Class  II  can  be  enumerated  by  inspection.  If  variable  #2 
functions  first,  then  the  single  malfunction  permitted  by  the  strategy  has 
already  occurred.  Variables  3  to  N  must  then  be  in  sequence.  The  only 
remaining  variable  is  #1 .  There  are  N-1  possible  positions  for  #1  in  the 
sequence.  The  set  of  Class  II  sequences  can  be  shown  as  the  rows  in  the 
matrix: 

2  1  3  4  ...  N 
2  3  1  4  ...  N 
2  3  4  1  ...  N 

II  « 

2  3  4  ...  N  1 
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Sequences  in  Class  III  are  also  easily  enumerated.  For  each  of  the 
choioes  3  to  M  for  the  first  variable  in  the  sequence,  the  one  allowed 
misfunction  has  already  oocurred  -  Just  as  in  Class  II.  This  means  that  all 
other  variables  must  function  in  order.  There  are  N-2  possible  choices  for 
the  first  variable  and  the  set  of  Class  III  sequences  can  be  shown  as  the  rows 
in  the  matrix: 

3  12  4...  N 

4  12  3...  N 

5  12  3...  N 

III  s 

• 

e 

H  1  2  3  .  .  .  (N-1) 

The  evaluation  process  described  above  has  been  written  into  a  program 
for  the  IBM  PC  Microcomputer.  Although  Basic  is  an  unstructured  language, 
some  structuring  can  be  introduced  by  using  line  number  groups  and  "top  down” 
programming  techniques.  The  top  level  program  is  followed  by  the  detailed 
listing  of  the  program  in  IBM  PC  Basic. 
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TOP  LEVEL  PROGRAM 


••••NUSTART  6/13/1100**** 

INITIALIZATION  (LINES  1-199) 

Input  #  Vairables  (N) 

Dimension  Arrays 

Input  weight  of  each  variable 

ENDINITIALIZATION 

MAIN  PROGRAM  (LINES  200-999) 

LOOP  PROM  10*0  TO  N-1 
Pill  ZS  Array  with  99’ s 
Get  the  Class  II  sequences 
Pill  ZS  Array  with  99* s 
Get  Class  III  Sequences 
Print  Result 

ENDMAIN  PROGRAM 

SUBROUTINE  PILL  IN  ZS'S  (Lines  1000-1999) 

Pill  the  ZS  Array  with  99' s 

ENDSUBROUTINE 

SUBROUTINE  2'S  (Lines  2000-3000) 

Re-label  variables  10+1  to  N  as  variables  1  to  N-10 

LOOP  to  Construct  Class  II  sequences 

Construct  a  Class  II  sequence 

GOSUB  5000  (Compute  sequence  probability) 

ENDLOOP 

SUBROUTINE  3'S  (lines  3000-5000) 

LOOP  to  Construct  Class  III  sequences 

Construct  a  Class  III  Sequence 

GOSUB  5000  (Compute  sequence  probability) 

ENDLOOP 

ENDSUBROUTINE 

SUBROUTINE  5000  (lines  5000-5999) 

PRINT  System  Strategy 
GOSUB  6000  (Computation) 

ENDSUBROUTINE 

SUBROUTINE  6000  (Lines  6000-6999) 

Compute  sequence  probability  and  add  to  System 
PRINT 

ENDSUBROUTINE 


fj 

#1 


DETAILED  PROGRAM  LISTING 


2  PRINT"*****  NOSTART  6/13/1 100*****" 

3  PRINT"*: 

A  DBPDBL  A-H,  L-N,  O-Z 

5  DIM  ZS  (50),  NS  (50) 

6  PRINT,  "INPOT  N"; : INPOT  N 

7  PR0B«0 : SUMWTs 1 : TERM* 1 

8  FOR  1*1  TO  N 

9  PRINT,  "INPOT  NT.  OF  DET  #jl;"  "j:INPOT  NS(I) 

10  NEXT  I 

12  FOR  L*=1  TO  N: PRINT  NS(L*);:NEXT  LX 

13  PRINT"" 

197  REM 

198  REM  END  INITIALIZATION 

199  REM******************************************************** 

200  REM  MAIN  LOOP 

201  REM 

210  FOR  10*0  TO 
230  GOSOB  1000 :GOSOB  2000 

240  GOSOB  1000: GOSOB  3000 

270  NEXT  10 

990  FOR  1*1  TO  N : ZS( I ) *NS( I ) : NEXT  I:GOSOB  5000 

992  PRINT  "N=";N;"  NS(I)*";:FOR  K*1  TO  N:PRINT  NS(K);:NEXT  K 

993  PRINT"  PRUB=";PROB: PRINT"" 

994  END 

997  REM  END  MAIN  LOOP 

999  REM*******************************************************1 

1000  REM  SOBROOTINE  FILL  IN  ZS'S 

1001  REM 

1010  FOR  11=0  TO  N 
1020  ZS(I1 )=99 
1030  NEXT  II 
1990  RETURN 

1998  REM  END  SUBROUTINE  FILL  IN  ZS'S 

1999  REM 

2000  REM  SUBROUTINE  2»S 

2020  FOR  12  *10+1  TO  N 
2025  IF  12=10+1  THEN  2950 
2030  FOR  J2=I0+1  TO  12-1 
2040  ZS(J2)  =  NS(J 2+1) 

2050  NEXT  J2 

2060  ZS  (I2)*NS(I0+1 ) 

2065  IF  12= N  THEN  2940 
2070  FOR  K2=I2+1  TO  N 
2080  ZS(K2)*NS(K2) 

2090  NEXT  K2 
2940  GOSUB  5000 
2950  NEXT  12 
2980  REM 
2990  RETURN 

2998  REM  END  SUBROUTINE  2'S 

2999  REM****************************************************** 
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REN  SUBROUTINE  3’S 
IF  IO>N-3  THEN  4020 
FOR  13*10+3  TO  N 
ZS(I0+1)  *  NS(I3) 

FOR  J3  *  10+2  TO  13 
ZS(J3)  *  NS(J3-1) 
NEXT  J3 

IF  13* N  THEN  4000 
FOR  J3*I3+1  TO  N 
ZS(J3)*NS(J3) 

NEXT  J3 
GOSUB  5000 
NEXT  13 
RETURN 

REM  END  SUBROUTINE  3'S 


REM  PRINT  SUBROUTINE 

FOR  15=0  TO  I0:ZS(I5)*NS(I5):NEXT 

IF  IOsN  THEN  5080 

FOR  15*10+1  TO  N 

REM SPRINT  ZS( 15 ) ; 

NEXT 

REMsPRINT  "10*"; 10 
GOSUB  6000 
RETURN 

REM  END  PRINT  SUBROUTINE 


REM  SUBROUTINE  TERM  AND  SYSTEM  COMP 

TERM  a  1 jSUMWT  =  0 

FOR  I6a  TO  N 

SUMWT  «-  SUMWT  ♦  ZS(I6) 

NEXT  16 

FOR  16a  TO  N 

TERM  *  TERM»ZS( 16) /SUMWT 

SUMWT  a  SUMWT  -ZS(I6) 

NEXT  16 

PROB  a  PROB  ♦  TERM 

REM  PRINT  TERM,  SUMWT,  PROB 

RETURN 

REM  END  COMPUTE  SUBROUTINE 
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